Nortel Networks NN46110-602 instruction

Appendix D Configuring for interoperability 221

Figure 13 Split tunneling example

Printer

192.19.2.33

	Public	10.2.3.3
	Data Network
		10.2.3.2

192.168.43.6	VPN Router

192.19.2.32

Remote User 192.19.2.31

10.2.3.410.10.0.1

Archive

10.10.0.5

Mail Server

To configure the VPN Router as a user tunnel:

1Select Profiles > Groups and click Add. Enter a group name of up to 64 characters (spaces are permitted); for example, Research and Development.

2Click Edit next to the name of the new group, scroll down to the IPsec section, and click Configure.

The IPsec Edit window appears.

3Enable Split tunneling if you want your VPN Router to control the networks that the third-party client can access. If you disable split tunneling and enable Allow undefined networks for non-Nortel VPN Clients, the clients can connect to all internal networks. If you select both Split Tunneling and Allow undefined networks for non-Nortel VPN Clients, the VPN Router uses the split tunneling feature and ignores the Allow undefined networks selection.

4Under Client Selection, select Non-Nortel VPN Clients (LINUX) or Both Nortel and Non-Nortel VPN Clients from the list.

5Third-party clients can use either preshared key or digital certificate authentication. Click to enable the user name and password to authenticate user identity. If you are using Main mode, the user name is the user’s IP address and the password can be any password.

Click RSA Digital Signature to enable certificate authentication if your

client supports this. You must then select a default server certificate from the list. You configure servers from the System > Certificates window.

Nortel VPN Router Troubleshooting

Image 221

Nortel Networks NN46110-602 manual To configure the VPN Router as a user tunnel

Contents

Nortel VPN Router Troubleshooting Trademarks Copyright 2007 Nortel Networks. All rights reservedRestricted rights legend Statement of conditions Nortel Networks Inc. software license agreement Nortel VPN Router Troubleshooting General Contents Chapter Status and logging Chapter Troubleshooting Chapter Packet capture Appendix a MIB support Appendix B Using serial PPP Index Contents NN46110-602 Figures Figures NN46110-602 Tables Tables NN46110-602 Text conventions Before you begin Italic text Acronyms L2TP Related publications Finding the latest updates on the Nortel Web site Hard-copy technical manuals How to get help Getting help from the Nortel Web site Getting help over the phone from a Nortel Solutions Center Getting help through a Nortel distributor or reseller New in this release Features Snmp interface index enhancement Automatic backupsPcap enhancements Administrator settings Chapter VPN Router administration VPN Router administration Tools Dynamic password File management System configuration Simple Network Management Protocol Snmp VPN Router administration Admin Snmp Traps window Click Enable for User IP Address Pool To configure the amount Chapter Status and logging Reports Sessions Statistics SystemHealth check Accounting records Accounting Data collection task Radius accounting Timestamp Event log Logs Event logs Select Status Event Log Capture and display filters Configure Display Entity Security log System log Configuration log Shutdown Chapter Administrative tasks Using the recovery diskette RecoveryAccessing the diskette drive Recovery Diskette window Software/backup/v101/SN01001 Administrative tasks Automatic backups Transferring backup files through Sftp Using the GUI for automatic backupTriggering a backup when a file or directory changes Select Admin Auto Backup Automatic Backup window appears. Figure Click Configure Specific Backup To overwrite a file, click Overwrite files at destination Specific Automatic Backup window Using the CLI for automatic backup Backing up changes to specific files or directories Stopping the backup of specific files and directoriesBacking up specific files and directories Stopping the transfer of backup files using Sftp Using Sftp to transfer backup files Upgrading the software Disabling new loginsSelect Admin Shutdown Click Disable new logins. Figure Checking available disk space Select Admin File System Creating a control tunnel to upgrade from a remote location Backing up system files Creating a recovery disketteSelect Admin Recovery and click Create Diskette Retrieving the new software Select Admin Upgrades FTP menu example Internal Radius Accounting Interim Radius Accounting Record Before completing the upgrade Applying the software After you upgrade the softwareSelect Admin Shutdown and deselect Disable new logins Administrative tasks Chapter Troubleshooting Client-based tools Troubleshooting tools Other tools System-based tools Diagnosing client connectivity problems Solving connectivity problems Common client connectivity problems Authentication failed Login not allowed at this timeRemote host not responding Maximum number of sessions reached Extranet connection lost Other IPsec errorsNo proposal chosen Problems with name resolution using DNS services Cannot browse the network with NetBEUI Network browsing problems Troubleshooting Diagnosing WAN link problems Check the T1/V.35 interface Check the PPP layer Check the Hdlc framing Performance tips for configuring Microsoft networking Solving performance problemsEliminating modem errors Hardware encryption accelerator connectivity What should be configured on the Pptp or IPsec client? What Wins settings are recommended? Why should Wins settings be different for extranet access? What can you try on the Wins server when it is not working? Can I control which machine is the master browser? Why are subnet masks important? What should I do about subnets? Why cant I browse another client in a different tunnel? Troubleshooting Additional information Web browser problems and the VPN Client Manager Solving general problems Improving performance with Internet Explorer Long delays when Web browsingEnabling Web browser options Clearing your Web browser cache when upgrading Web browser error messagesInternal error message Clearing cache Excess resource consumption using Internet Explorer New administrator login ignoredDocument not found message Internet Explorer 4.0 multiple help windows System problems Reporting a problem with a Web browserPower failure Distorted background images Select Servers Ldap Click Stop Server Group and user profile settings not saved Client address redistribution problems Solving routing problems An error occurred while parsing the policy Solving firewall problemsAn error occurred while communicating with the VPN Router Action Close the Stateful Firewall Manager Unable to communicate with the VPN Router Authorization failed. Please try againContents of the database may have changed Deselect Cache JARs in Memory System files were not loaded properlyAction Troubleshooting NN46110-602 Chapter Packet capture Pcap features File format Security features Tunnel captures Capture typesPhysical interface captures Global IP captures Triggers Filters and triggersCapture filters Memory considerations Saving captured data Performance considerations Enabling packet capture on a VPN Router Serial main menu appears Enter Privileged Exec mode Capturing packets to disk file Setting the Pcap file path Setting the maximum number of disk capture files Setting the size of the RAM bufferSetting the size of a disk capture file Creating a capture object Configuring and running packet capture objectsSaving captured data Configuring a capture object CES#capture ether0 Tunnel capture parameters Starting, stopping, and saving capture objects Using the show capture command to display capture status CES# show capture Exit Capture Configuration mode Sample packet capture configurationsInterface capture object using a filter and direction CES#show capture test-filter-in Interface capture object using triggers CES#capture test-trigger start CES#show capture test-trigger Capture state Stopped by stop Tunnel capture object using a remote IP address Locate the Microsoft Windows row and click local archive Installing Ethereal softwareViewing a packet capture output file on a PC Saving, downloading, and viewing Pcap files Click ethereal-setup-n.nn.n.exe Global IP capture Viewing a Pcap file with Sniffer Pro Click Tools Options Protocol Forcing Deleting capture objects and disabling packet capture CES# no capture test-trigger Packet capture NN46110-602 Novell IPX MIB Snmp RFC supportNovell RIP-SAP MIB RFC 1850-OSPF Version 2 Management Information Base RFC 2667-IP Tunnel MIB RFC 1724-RIP Version 2 MIB ExtensionRFC 1213-Network Management of TCP/IP-Based Internets RFC 2737-Entity MIB RFC 2787-VRRP MIB RFC 2233-If MIB RFC 1573-IanaIfType MIBRFC 2571-Snmp-Framework MIB RFC2790-Host Resources MIB RFC2495-DS1 MIB VPN Router MIB RFC2863 Interface MIB 64 bit counters support TRAP-TYPE Cestraps.mib-Nortel proprietary MIB Variables Newoak.mib Hardware-related traps Appendix a MIB support Appendix a MIB support Appendix a MIB support Server-related traps Appendix a MIB support Software-related traps Login-related traps System-related traps Intrusion-related traps Information passed with every trap Provides trap categories and explanations Provides descriptions for the VPN Router traps Appendix a MIB support VPN Router traps MIB descriptions Appendix a MIB support VPN Router traps MIB descriptions Attached Failed Please note that X corresponds to Is not reachable and at least one Appendix a MIB support Appendix a MIB support VPN Router traps MIB descriptions IfReasonForStatus-ces-reason for the change in status Appendix a MIB support VPN Router traps MIB descriptions That triggered this event Appendix a MIB support VPN Router traps MIB descriptions Appendix a MIB support VPN Router traps MIB descriptions That triggered this event Establishing a serial PPP connection Appendix B Using serial PPP Double-click the Microsoft Dial-Up Networking icon Setting up a Dial-Up Networking connection Select System Settings Setting up the VPN RouterSetting up the modem Appendix B Using serial PPP Dialing in to the VPN Router Troubleshooting Serial PPPCause Actions Action PPP option settings Appendix B Using serial PPP NN46110-602 Certificate messages Error removing CA certificate fileInstalled new CA certificate from file TCert task creation failed TCert X.509 certificates disabled in flash memoryTCert Shutdown complete Isakmp 13 No proposal chosen in message from xxx a.b.c.d Isakmp messages Isakmp 13 Authentication failure in message from xxx a.b.c.d No response from client-logging out Isakmp 13 xxx a.b.c.d has exceeded idle timeout-logging out Branch office messages Couldnt install route for remxxx@xxx Checking chain invalid parent cert SSL messagesChecking chain invalid child cert Child cert xxx not valid signature by xxx Database messages Configuration file xxx does not existNo matching trusted CA certs Failed to start Security messages Ldif file could not restoreAccount xxxxxx uid xxx not found in account AuthServer ldap inconsistent no server type in entry Security store new system name xxx failed-xxx Conn backlog reached, possible SYN attackSecurity store new system IP address xxx failed-xxx Error copying subentries of xxx to Error copying entry xxx toError copying tree xxx to Security store new system subnet mask xxx failed-xxx Error deleting tree Error deleting entrySchemaCls Database schema not available LocalAuthServer failed remove-xxx Session xxxxxx invalid uid-authentication failed Session xxx uid invalid-authentication failedXxx xxx being referenced by Session xxxxxx session rejected-system is initializing Session xxxxxxxxx AddLink failed xxx current links Session xxxxxxxxx xxx auth method not allowed Session xxxxxxxxx account is disabled Session xxxxxxxxx L2TP host xxx account misconfiguredSession xxxxxxxxx IP address assignment failed Session xxxxxxxxx account has max links Session xxxxxxxxx connect Qos level xxx full Session xxxxxxxxx authentication failed usingSession xxxxxxxxx account not allowed now Disable logins after restart checkbox is selected Session xxxxxxxxx login rejected new logins disabledSession xxxxxxxxx no memory free xxx threshold Session xxxxxxxxx only one session/static address allowed Session xxxxxxxxx session directed to use server Session xxxxxxxxx pool address xxx already in useSession xxxxxxxxx static address xxx already in use Session xxxxxxxxx system has max sessions Radius server-name server timed out Radius accounting messagesRadius no reply from server server-nameport number Non-matching ID in server response Radius server-name server failedIndicated packet length too large Received bad attribute type from server Unsupported response type number received from serverResponse OK Radius user-name accounting record sent to server-name OK Radius no reply from Radius server server-nameport number Radius authentication messagesLogin failure due to Server network connection failure Radius server-name server timed out authenticating user-name Non-matching id in server response Radius access challenge received Radius server returned access challengeRadius server rejected access Radius server-name sent challenge for user-name Radius user-name access OK by server server-name Radius user-name access Denied by server server-nameOspf Disabled Routing messages Opened OSPF-RTM connection Ospf EnabledClosing OSPF-RTM connection LoadOspfAreas Failed Can not accept x.x.x.x as router idLoadOspfIntf Failed VR xxx Starting xxx as Master for VR xxx Shutting down xxx on VR xxx Starting xxx as Backup forVR xxx Starting xxx as master delayed Backup for RIP xxx RIP Enabled Unable to get configuration for VRRIP xxx RIP Disabled RIP xxx Cant alloc main node RIP xxx Unable to register with UDP RIP xxx Circuit xxx deletedRIP xxx setsockopt RIP socket xxx Sorcvbuf xxx failed RIP xxx bind RIP socket xxx failed RIP xxx cid xxx mismatched auth password from RIP xxx Unable to spawn timer task xxx for RIPInterface nnn not present, deleting from config Interface nnn replaced, resetting config HWAccel nnn not present, deleting from config Interface nnn replaced, deleting from config Appendix C System messages NN46110-602 Configuring the Cisco 2514 router, Version Appendix D Configuring for interoperability VPN Router and Cisco 2514 network topology NN46110-602 Following is a show config command Configuring the VPN Router for Cisco interoperability Appendix D Configuring for interoperability Mask Connecting to IRE SafeNET/Soft-PK Security Policy Client Click Pre-Shared Key 10.42 SafeNet/Soft-PK Security Policy Editor dialog box appears Encapsulation Protocol ESP Configuring the VPN Router for IRE interoperabilitySA Life Seconds and 3000 Seconds Go to Profiles Networks and click Edit Third-party client installation Considerations for using third-party clients Appendix D Configuring for interoperability Configuring the VPN Router as a branch office tunnel Set Perfect Forward Secrecy PFS to match the client side Configuring the VPN Router as a user tunnel To configure the VPN Router as a user tunnel Configuring IPX IPX client Sample IPX VPN Router topology IPX group configurationWindows 95 and Windows Windows NT IPX topology Nortel VPN Router Troubleshooting Appendix D Configuring for interoperability NN46110-602 Index Index Pptp Wins